Agencies Can Be Exposed to Vulnerabilities from Server Closets
The typical server closet at an agency facility is literally a broom closet or storage closet that has been converted into a server room with no proper cooling or ventilation. Officials often pop off ceiling tiles to allow the heat from equipment to escape the room.
Physical security is an issue, as there often is no advanced security solution on the door controlling access to the room. There are often no cameras or motion sensors monitoring the closet, and unauthorized personnel can sometimes easily access the room if it is left unlocked. Unauthorized users could tamper with or steal equipment. Such closets can also be dirty, and that can lead to buildups of dust and static charges.
From an IT perspective, these facilities are often not counted on the list of IT assets that agencies closely track. The hardware is often outdated and unpatched. The data on them is often not properly backed up. And the offices that support such server closets typically do not have adequate IT staff to inspect and manage the equipment.
How Agencies Can Truly Optimize Small Data Centers
Optimizing and consolidating server closets “generally incurs large costs for agencies, with little or no benefit from efficiencies gained,” OMB states in its June 2019 guidance. “This often introduces additional hurdles in the form of increased latency and other performance detriments that unfavorably affect agency mission delivery.”
Agencies often have a reason to keep such facilities up and running, such as limited bandwidth on their networks or the fact that the office is in a location where weather can impact network performance. Or, there may be a specialized piece of hardware that only locally based officials have knowledge of.
In the past, IT officials may have not included such closets in their official count of data centers because they did not want to have to shut them down. Now, OMB has given agencies permission to keep them running. That shift in messaging should give IT leaders an opening to modernize such facilities.
IT leaders should start by treating such closets like actual data centers and training staff to treat them as such as well. They should upgrade physical security to ensure that they can only be accessed by approved personnel and that the equipment inside is closely monitored via cameras or motion sensors.
Now that these closets can be treated not as problems to hide but as facilities to be managed, IT leaders should push to allocate budgeting for upgrades to the server equipment inside them. Taking that step will lead to newer equipment with more advanced security. It will also ensure agencies can continue to meet their mission needs. IT leaders should also ensure that such facilities have proper power and cooling solutions in place.
None of this is that expensive, but it is also not free. However, these investments are worthwhile as they will ensure the long-term survivability of agencies’ IT capabilities.
The updated DCOI guidance means that server closets are no longer tracked the way large data centers are. However, that does not erase them from existence and does not address their vulnerabilities.
IT leaders and their staff need to know that they can come out of the dark and get funding to make sure these facilities are both secure and functional. If they want to modernize such facilities they can, but they need to speak up and start doing the work of modernization.